From 85f69fda025b2970c322b115eead24710f74a002 Mon Sep 17 00:00:00 2001
From: Jianlin Liu <jialiu@redhat.com>
Date: Wed, 4 Mar 2026 16:40:34 +0800
Subject: [PATCH] Azure: Fix system-assigned managed identity authentication

---
 pkg/asset/manifests/azure/cluster.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/asset/manifests/azure/cluster.go b/pkg/asset/manifests/azure/cluster.go
index fb9a8ab3ffd..d0e48681720 100644
--- a/pkg/asset/manifests/azure/cluster.go
+++ b/pkg/asset/manifests/azure/cluster.go
@@ -266,15 +266,21 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 		},
 		Spec: capz.AzureClusterIdentitySpec{
 			AllowedNamespaces: &capz.AllowedNamespaces{}, // Allow all namespaces.
-			ClientID:          session.Credentials.ClientID,
 			TenantID:          session.Credentials.TenantID,
 		},
 	}
 
 	switch session.AuthType {
 	case azic.ManagedIdentityAuth:
+		// Only set ClientID if it's provided (user-assigned managed identity).
+		// For system-assigned managed identity, ClientID is empty and CAPZ will
+		// use the identity automatically assigned to the VM.
+		if session.Credentials.ClientID != "" {
+			id.Spec.ClientID = session.Credentials.ClientID
+		}
 		id.Spec.Type = capz.UserAssignedMSI
 	case azic.ClientSecretAuth:
+		id.Spec.ClientID = session.Credentials.ClientID
 		id.Spec.Type = capz.ServicePrincipal
 		azureClientSecret := &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
@@ -296,6 +302,7 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 			Namespace: azureClientSecret.Namespace,
 		}
 	case azic.ClientCertificateAuth:
+		id.Spec.ClientID = session.Credentials.ClientID
 		id.Spec.Type = capz.ServicePrincipalCertificate
 		id.Spec.CertPath = session.Credentials.ClientCertificatePath
 	}